Oracle quarterly patch 154 vulnerabilities addressed

2 years ago

Oracle quarter results: Oracle publishes its quarterly patch for its various programs and not less than 154 corrects vulnerabilities among its different software. Among the many faults drop the score of 10.0 on the CVSS scoring system, indicating critical flaws remotely exploitable and authorizing the compromise of the entire system.

Java is obviously part of the lot with as many as 25 faults corrected 24 of which are remotely exploitable. 7 of these vulnerabilities have a CVSS also code 10.0, indicating a particularly simple flaw exploited by the attackers and allowing them to take control of the machine.

The fix for Oracle Fusion Middleware fixes 23 flaws on his side, including 16 remotely exploitable and without requiring a successful authentication from the attacker. MySQL corrects its side 30 security vulnerabilities, and later Oracle Industry Applications fixes 14 vulnerabilities, including 13 remotely exploitable and bypassing authentication.

Oracle still wants to reassuring and explains on its blog that it’s security teams have so far identified any exploitation of these vulnerabilities by cybercriminals. This is half true: One of the flaws corrected on Java, the flaw CVE-2015-4902 corrected by this patch was spotted by Trend Micro in the arsenal of Pawn Storm Group (also known under the name of APT28).